Network and distributed system security symposium

As I noted last year, the security of modern cars is about the same as that of your average PC. Swiss security researchers at ETH Zurich University have again reinforced that point, at least according to this article in MIT's Technology Review two weeks ago. Apparently, the researchers have shown that it is both "feasible and practical" to hack cars equipped with passive keyless entry and start (PKES) (aka smart key) systems, according to this other somewhat more detailed article in ComputerWorld that came out today. While hacking smart keys has been discussed for some time (see this PDF), finding an approach workable by your "average car thief" has proven a bit more elusive. According to the story in Technology Review, the researchers: "... examined 10 car models from the eight manufacturers. They were able to access all 10 and drive them away by intercepting and relaying signals from the cars to their wireless keys. While … [Read more...] about Hacking Cars with Keyless Systems Feasible and Practical, Swiss Researchers Say

Car thieves of the future might be able to get into a car and drive away without forced entry and without needing a physical key, according to new research that will be presented at the Network and Distributed System Security Symposium next month in San Diego, California. The researchers successfully attacked eight car manufacturers’ passive keyless entry and start systems—wireless key fobs that open a car’s doors and start the engine by proximity alone. Srdjan Capkun, an assistant professor of computer science in the system security group at ETH Zurich in Switzerland, who led the work, says he was inspired to investigate the security of keyless entry and start systems after buying a car that had one. Capkun and Aurélien Francillon and Boris Danev, both researchers in the same institution, examined 10 car models from the eight manufacturers. They were able to access all 10 and drive them away by intercepting and relaying signals from the cars to their … [Read more...] about Car Theft by Antenna

More than half of all iPhone apps collect and share a unique code that could be used to track users without their knowledge, according to a recent study. Manuel Egele, a doctoral student at the Technical University of Vienna, and three other researchers examined how more than 1,400 iPhone apps handle user data. Only a small number blatantly compromised privacy: 36 accessed the device’s location without first informing the user; another five mined data from the user’s address book without permission. The research will be presented at the Network and Distributed System Security Symposium in early February. However, more than half of the iPhone applications studied collected the device ID—a 40-digit hexadecimal number identifying a particular phone. More than 750 of the apps studied used some sort of tracking technology. In about 200 cases, the developer created a way to track a device’s identifier code; the other apps used this functionality … [Read more...] about Want to Track People? There’s an App for That

In this day and age anything with a rudimentary electronic circuit is subject to hacking. So it should come as no big surprise that hackers are paying attention to the keyless entry systems found in many of modern automobiles. The good news for car owners is that, so far, the hackers in question have been benevolent Swiss researchers. The bad news: the researchers think that car thieves may be able to hack into cars and drive away with some basic gadgetry.The study was conducted by ETH Zurich, a system security firm based in Switzerland, and first reported by MIT’s Technology Review. The group tested 10 car models from eight different manufacturers. All were equipped with keyless entry and keyless ignition systems controlled through wireless fobs. All 10 cars were able to be accessed and driven away.The researchers rigged a dual-antennae system to gain access to cars: one antennae was placed close to the vehicles and the other close to the key. Signals from the car to … [Read more...] about Hacking keyless car entry systems is easy, study shows

Security – CAPTCHA services that require users to recognize and type in static distorted characters may be a method of the past, according to studies published by researchers at the University of Alabama at Birmingham.CAPTCHAs represent a security mechanism that is often seen as a necessary hassle by Web services providers — necessary because they seek to prevent Web resource abuse, yet a hassle because the representation of a CAPTCHA may not be easy to solve. Moreover, successful attacks have been developed against many existing CAPTCHA schemes.Nitesh Saxena, Ph.D., associate professor of the Department of Computer and Information Sciences and information assurance pillar co-leader of the Center for Information Assurance and Joint Forensics Research, led a team that investigated the security and usability of the next generation of CAPTCHAs that are based on simple computer games.The UAB researchers focused on a broad form of gamelike CAPTCHAs, called dynamic cognitive … [Read more...] about Improved Method Lets Computers Know You Are Human

Security University of Alabama at Birmingham and Aalto University have found vulnerabilities in a recently proposed user-verification security system for computers.This new security system, developed by Dartmouth College researchers, was created in response to a need for easy-to-use systems that determine whether someone is, in fact, who he or she is declaring to be — a process known as authentication.“In our technologically based society, we need a password to do just about everything — from banking to communicating,” said Nitesh Saxena, Ph.D., the director of the Security and Privacy In Emerging computing and networking Systems (SPIES) lab and associate professor of computer and information sciences in UAB’s College of Arts and Sciences. “Because people often have trouble remembering all of their various passwords for different platforms, there is a lot of value in identifying simple, yet secure, ways to log in and log out of whatever it … [Read more...] about Is Zero-effort Computer Security a Dream? Breaking a New User Verification System

The pernicious program Citadel has been around for awhile, but it's using some new tricks on new targets.From its humble origins as a "man in the browser" thief of banking credentials, Citadel has become a knave of all trades. Once it lands on a computer, it can be configured in a number of ways with a file from a server operated by Web predators.Citadel now can achieve "full remote control over an infected machine," Dana Tamir, director of enterprise security for Trusteer, an IBM company, told TechNewsWorld."In the past, [Citadel] targeted individuals and their personal and financial information," Tamir said. "The reason? It wanted to steal money."Now the malware is being used to target enterprises, many of them petrochemical companies located in the Middle East, Trusteer researchers have discovered."When you target these petrochemical companies, you're not targeting individuals anymore," Tamir noted. "You're targeting enterprise systems. That's all about information."Trusteer has not … [Read more...] about SPOTLIGHT ON SECURITY Banking Trojan Targets Petrochemical Outfits

A flaw in the RFC 5961 specification the Internet Engineering Task Force developed to protect TCP against blind in-window attacks could threaten Android smartphones, as well as every Linux computer on the planet. [*Correction - Aug. 12, 2016]The flaw is described in a paper a team of researchers presented at the 25th Usenix Security Symposium, ongoing in Austin, Texas, through Friday. The researchers are affiliated with the University of California at Riverside and the United States Army Research Laboratory.The vulnerability, CVE-2016-5696, lets attackers hijack plaintext communications between two devices communicating over TCP on the Internet.The RFC 5961 spec is implemented in Linux kernel v 3.6 and later. [*Correction - Aug. 12, 2016]"This attack could be used to target long-lived back-end connections like database sessions or management and monitoring channels," said Craig Young, a computer security researcher for Tripwire's Vulnerability and Exposures Research Team."Since only … [Read more...] about TCP Flaw Opens Linux Systems to Hijackers

"Patch your systems in a timely manner" is a mantra of security experts, but what happens when the patch well runs dry because a product's maker no longer supports it? That is a situation many large enterprises find themselves in, and it's one that poses security risks.Between 30 percent and 50 percent of the hardware and software assets in the average large enterprise have reached their end-of-life date, according to a BDNA report released last month.End-of-life products pose a serious security risk to the enterprise."The vast majority of vulnerabilities -- more than 99 percent -- exploit out-of-date software with known vulnerabilities," said BDNA President Walker White.Oversight is a common reason end-of-life products continue to run on an organization's systems."There may be a new version of a product, but because you don't have a clear view of what's in your environment, you can miss the old version in your upgrade process," White told TechNewsWorld.That's how orphan apps are … [Read more...] about SPOTLIGHT ON SECURITY Old Tech Can Create New Security Woes

It was a little over a year ago that the Heartbleed bug shocked the Internet with its potential for mischief. Now another flaw in open source code has sent network administrators into damage control mode.The bug, called "Venom" for "Virtualized Environment Neglected Operations Manipulation," allows an intruder to jump out of a virtual machine and execute malicious code on its host. Virtual machines are widely used in data centers, so it has the potential to cause widespread mischief."Exploitation of the Venom vulnerability can expose access to corporate intellectual property, in addition to sensitive and personally identifiable information, potentially impacting the thousands of organizations and millions of end users that rely on affected [virtual machines] for the allocation of shared computing resources, as well as connectivity, storage, security and privacy," reads a post on the CrowdStrike website. Venom was discovered by Jason Geffner, CrowdStrike senior security … [Read more...] about SPOTLIGHT ON SECURITY Venom Less Toxic Than Heartbleed